Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s.

This morning, Global Payments held a conference call with investors and analysts covering their earlier breach announcement and projected earnings. Global Payments had also released an update advisory yesterday stating that "the company believes that the affected portion of its processing system is confined to North America and less than 1,500,000 card numbers have been exported" and that only Track 2 card data may have been stolen.

In discussing the breach, Paul Garcia, Chairman and CEO of Global Payments, reiterated that the investigation is ongoing, but that the 1.5m stolen card details likely represents an upper bound to the loss and that it only affected a "handful" of North American servers (i.e. this was not a Merchant breach). At this point, they are not aware of any fraudulent transactions related to the data theft.

Obviously, given the fact that they self-reported a breach, Global Payments is no longer Visa PCI certified and must now attempt to re-earn their ROC (Report on Compliance). Although they're not Visa PCI certified, that doesn't mean that they cannot process Visa cards — rather that, by being non-compliant, they will be liable for fines and additional losses. When asked during the call as to the likely charges and liability of the breach, listeners were reminded several times that the investigation is continuing and that the company has sufficient insurance to cover prospective liabilities. It was stated that Mastercard may take similar PCI certification actions.

I thought it was interesting that Global Payments had received assurances from competitors that they wouldn't capitalize on the breach — since any one of them could be similarly affected in the future (if not already breached, but undetected so far). I'm not sure how credible that is, and I'd be surprised that some of the competitor's sales folks aren't already independently using the breach to further their own agendas.

Global Payments stressed that, contrary to rumors, this is the first breach that the company has suffered. The breach itself is believed to be contained and was picked up by their server data monitoring and breach detection tools — "just not well enough" (no hints were made as to the nature of the technology deployed).

So, while the forensics investigations continue, what does it all mean? Based on the information disclosed thus far, it sounds like Global Payments is doing everything the right way. They disclosed as soon as they had enough information and confidence in their discoveries to do so. They've been using data monitoring tools to spot breaches — albeit these controls proved to be insufficient to stop the threat and don't sound like they were real-time reporting enabled. They've pulled in experts to help them get to the bottom of the breach. And they're aware of the business consequences — having taken out sufficient insurance to protect against associated liabilities. What's left?

Last week a number of 10,000,000 had been thrown out as to the size of the theft. It now appears that 1,500,000 cards were stolen. No discussion was provided as to what other data had been exposed (i.e. no "evidence" that it had actually been stolen). Regardless, while 1.5m is less than 10m, it's still a damned big number and it will cost the card distribution agents quite a bit of money to clean up and reissue cards — all of which Global Payments will need to cover. I think that lessons have been learned from the big data breaches like TJX, but it would appear that the cost of a breach is largely independent of the number of cards actually lost.

Global Payments has been deliberately cautious in revealing any details as to how the incident occurred and the nature of the systems that failed to protect against the penetration or alert to the breach. I'd expect that time will shed more light on the attack vectors. It is important that such details are exposed as and when it is prudent to do so. While Global Payments is a multi-billion-dollar enterprise, there are still hundreds of other card clearing houses around the world that could benefit from detailed disclosures of the incident so that they could construct better defenses. While these may be competitors to Global Payments, we — as in you and I — are the potential victims of their inadequate defenses and I'd like assurances that they're doing better than they are today.

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

When is the old legacy "grossly insecure" credit card payment system going to be fixed or replaced? It's a system that depends on the trust of the millions of merchants all over the world to be honest.

It needs to be replaced with a smart-card type system that allows a bank account holder to communicate securely with their own bank (through a secure backchannel at each marchant terminal or via your computer) to authorize a transaction the merchant has pending (at the clearing house, where the bank queries for it). The backchannel also needs to be TWO layers: one TLS layer to the clearing house itself, and another inside that layer to the bank, so the merchant does not even sniff what bank your account is at.

In such a system, the merchant gets to know if the bank authorized the transaction. Any issues of invalid authorizations is between the account holder and his bank.

The merchant gets a unique 128-bit transaction ID from the clearing house. That ID is sent over to the smart-card which can pass it on to the bank. It asks the bank to get the transaction record from the clearinghouse, which includes the merchant's legal identification, and the amount and currency. If the holder authorizes it, the authorization goes to the bank, then to the clearinghouse, and back to the merchant.

The smart-card requires a pass code entry by the account holder using configurable means the holder and bank agree on. Things how long the pass code entry remains valid before expiring, etc.

This should NOT be a phone app for security reasons. It should be implemented entirely in the bank issued smart-card that has its own CPU and UI. Communication can be by "remote control" style IR LED to a like port at the merchant cash register, or via bluetooth to a PC or phone when making purchases online.

The key to this system is that we replace the worthless "trust in millions of merchants" with "singular trust in the bank your account is at". Globally unique transaction IDs ensure no duplication of charges (the bank would have some explaining to do if they debit the same ID to an account twice). So no more "double swipe" becoming "double charge".

Even this system is not without flaws. But it would be significantly better than what we have now.

For consumers it eliminates the nightmare of random charges from all over if one merchant is sloppy or a phishing site managed to trick a consumer. At best a phishing site can get money only for the transactions the user authorizes. There is still the risk the merchant won't deliver on payments. And chargebacks would be a different process (the merchant would need the right to know who the consumer is if the chargeback is approved). And it would still be possible for the smart-codes to be physically stolen, either after they watched the pass code entry, or coerced the user to enter it (but we could have a pass code that would make things look valid for a while then freeze out the smart-card a random number of minutes later).

Related

A look into the past reveals that continuous developments in weaponry technology have been the reason for arms control conventions and bans. The banning of the crossbow by Pope Urban II in 1096, because it threatened to change warfare in favour of poorer peasants, the banning of poisoned bullets in 1675 by the Strasbourg Agreement, and the Geneva protocol banning the use of biological and chemical weapons in 1925 after world war 1, all prove that significant technological developments have caused the world to agree not to use certain weapons. more

A colleague was recently commenting on an article by Michele Neylon "European Data Protection Authorities Send Clear Message to ICANN" citing the EU Data Commissioners of the Article 29 Working Party, the grouping a determinate factor In the impending death of WHOIS. He is on point when he said: What the European Data Protection authorities have not yet put together is that the protection of people's mental integrity on the Internet is not solely due to the action of law enforcement... more

One of the problems with trying to secure systems is the lack of knowledge in the community about what has or hasn't worked. I'm on record as calling for an analog to the National Transportation Safety Board: a government agency that investigates major outages and publishes the results. In the current, deregulatory political climate, though, that isn't going to happen. But how about a voluntary system? more

There was one message which overshadowed all discussions at the 5th Global Conference on Cyber Space (GCCS) in New Delhi in November 2017: Instability in cyberspace is as dangerous as climate change. With four billion Internet users and five trillion dollars annually in digital transactions, instability in cyberspace has the potential to ruin the world. more

IBM Security, Packet Clearing House (PCH) and Global Cyber Alliance (GCA) unveiled a free Domain Name System (DNS) service designed to protect all Internet users from a wide range of common cyber threats. Launched on November 16 with simultaneous press events in London, Maputo and New York, the public DNS resolver has strong privacy and security features built-in and can be enabled with a few changes to network settings, as outlined on the organisation's website. more

Plaintiff anti-malware software provider sued defendant -- who also provides software that protects internet users from malware, adware etc. -- bringing claims for false advertising under the Section 43(a) of Lanham Act, as well as other business torts. Plaintiff claimed that defendant wrongfully revised its software's criteria to identify plaintiff's software as a security threat when, according to plaintiff, its software is "legitimate" and posed no threat to users' computers. more

Confronted with the rapid development of the Internet, the traditional network is facing severe challenges. Therefore, it is imperative to accelerate the construction of global network infrastructure and build a new generation of Internet infrastructure to adapt to the Internet of Everything and the intelligent society. From November 28 to 30, 2017, "GNTC 2017 Global Network Technology Conference" organized by BII Group and CFIEC, will see a grand opening in Beijing. more

The world has officially entered what the MLi Group labels as the "New Era of The Unprecedented". In this new era, traditional cyber security strategies are failing on daily basis, political and terrorist destruction-motivated cyber attacks are on the rise threatening "Survivability", and local political events unfold to impact the world overnight and forever. Decision makers know they cannot continue doing the same old stuff, but don't know what else to do next or differently that would be effective. more

The argument for end-to-end encryption is apparently heating up with the work moving forward on TLSv1.3 currently in progress in the IETF. The naysayers, however, are also out in force, arguing that end-to-end encryption is a net negative... The idea of end-to-end encryption is recast as a form of extremism, a radical idea that should not be supported by the network engineering community. Is end-to-end encryption really extremist? Is it really a threat to the social order? more

RIPE held its 75th meeting in Dubai in mid-October. As usual, there was a diverse set of presentations covering a broad range of activities that are taking place on today's Internet. The topics include issues relating to network operations, regulatory policies, peering and interconnection, communications practices within data centers, IPv6, the DNS, routing and network measurement. If that's not enough, the topic of the Internet of Things has been added as a Working Group in the RIPE pantheon. If you add address policy, database and RIPE services to the mix, you get a pretty packed five days with topics that would appeal to most Internet folks. more

One of the most profoundly disruptive developments occurring in the cyber security arena today is the headlong rush by a set of parties to ubiquitously implement extreme End-to-End (e2e) encryption for communication networks using essentially unbreakable encryption technology. A notable example is a new version of Transport Layer Security (TLS) known as version 1.3. The activity ensues largely in a single venue... more

The best and most knowledgeable experts of dot Brand met in the Brands and Domains conference, on October 2 and 3 in the Hague, Netherlands. Brand and project owners were also present, coming from all around the world -- from Australia or Japan to the USA and Canada. The keynote by Georges-Edouard Dias, CEO of Quantstreams and founder of the concept of brand hospitality, explained how customers are not anymore the targets of brands. more

Rep's Graves and Sinema recently introduced H.R. 4036, the catchily named Active Cyber Defense Certainty Act or ACDC act which creates some exceptions to criminal parts of computer crime laws. Lots of reports have decried "hack back" but if you read the bill, it's surprisingly well targeted. The first change is to what they call Attributional Technology, and says it's OK to put bait on your computer for an intruder intended to identify the intruder. more

The U.S. Internet Revenue Service now says that criminals already had most of the information that credit bureau Equifax lost in a breach that revealed personal information about nearly 150 million people. The incident at Equifax and the IRS' mid-October admission of how much-stolen data was already in criminal hands may force changes in how the world handles personal information. more

Around the world, the growing sophistication of cyber criminals is challenging the capacity of governments, businesses and individuals to defend themselves. In the Caribbean, governments are forging strategic partnerships with regional actors like the Caribbean Telecommunications Union (CTU) and the Caribbean Network Operators Group (CaribNOG), the region's largest volunteer-based community of network engineers, computer security experts and tech aficionados. more

Promoted Post

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s.

Avenue4 LLCRead2607

A World-Renowned Source for Internet Developments. Serving Since 2002.